even if you trust your third parties, you still don't have full access to their systems, so you can't verify that they don't have the appropriate security controls in place to prevent somebody from compromising their systems

so if a 3rd party is breached and someone puts login and password inputs over mine, the user would be breached.. but if we handled sign-on out of band (another window), would it be possible to safely provide some functional widget via double iframes?

kumavis: be aware that you are sending all your traffic through Incapsula in such a way that they can see its contents - if Incapsula were to be compromised, an attacker could theoretically intercept all your traffic as well

so, tl;dr: 1) Nonce link on English version of site should reference English Wikipedia, 2) It shouldn't advise timestamp or only do so with caveats clearly mentioned, 3) captcha needs to be improved, possibly including a reverse captcha, 4) API key needs to be clarified - is an "access_key" the user ID or the signing key? 5) there should be unique CSRF auth keys for each form/pageload, and they DEFINITELY shouldn't be reused, 6) should

verify that the token is indeed really random and not derived from (guessable) data, 7) string/number return inconsistencies in API - should be "string everywhere", 8) Incapsula is a potential security issue as they can intercept all traffic, 9) double check whether negative 'count' params are a feature rather than a bug, because edgecases, 10) it does not handle large numbers correctly, 11) "too busy" should be 503, not 500

"Unlike other package management systems such as NPM, NuGet and RubyGems, Go does not provide a centralized repository for Go packages. The Go package management system is designed to work with modern scenarios where developers share source through repositories hosted on Github." lolwut